From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Greg Scott" Date: Mon, 16 Sep 2002 23:48:10 +0000 Subject: RE: [LARTC] Re: Routing/NAT question Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org > but I want the 192.168.101.0/24 machines to be able to > talk to the 10.140.227.224/27 network also but only for the subnets listed > below. OK...here I go again, I'll give this another shot. So you want your 10.xxx networks to communicate with your 192.168.xxx networks, right? Both are behind a Linux FW. The 10.xx network uses a gateway IP also of 10.xx. The 192.168.xxx network uses a gateway IP in the 192.168.xxx range. Both of these gateway IP address could be NICs inside the same firewall - they might even be aliases of the same NIC but they really should be different NICs. If this is true, then . . . You still don't have a problem. Remember that a firewall is really a router with a bunch of rules to decide whether or not to forward packets. The classic firewall installation routes between a single internal network and the Internet so the routing part is pretty simple. But this is really no different than routing among two or several internal networks and the Internet. Simply assign the appropriate gateway IP address to each system in the various networks, put in a bunch of packet filtering rules in your firewall, and turn on IP forwarding. It will "know" to send traffic between the 10.xx guys and the 192.168.xxx guys because it will be a member of both networks. fwiw, I have a customer right now with 4 NICs and 4 separate internal networks. We can argue about whether or not this is a good idea, but all 4 internal networks can see all the other internal networks just fine. No special routes, no LARTC stuff, nothing fancy. Now, let's say you want to restrict one of those networks from getting out to the Internet - no problem, you can do that with just a couple of rules. Put in rules in your FORWARD table that ACCEPT packets from the networks you want, then put in a DROP rule after that. (Or just make DROP your policy and then you don't need a DROP rule.) Did I get it right this time? - Greg Scott -----Original Message----- From: Tom Diehl [mailto:tdiehl@rogueind.com] Sent: Monday, September 16, 2002 11:35 AM To: Martin A. Brown Cc: lartc@mailman.ds9a.nl Subject: [LARTC] Re: Routing/NAT question On Fri, 13 Sep 2002, Martin A. Brown wrote: Hi Martin, First I want to apologize for my inability to explain this correctly. I feel pretty stupid right now. I will try again. > : > (or use the traditional redhat ifcfg-eth1:0 technique) > : > > : > and tell the internal machines that the default gateway is 10.140.227.245. > : > : OK, but as I said in the diagram below my connection to the internet is > : on wan0 via iptables and NAT. Will not 2 default routes confuse things? > > default gateway on the linux box > - - - - - - - - - - - - - - - - - - > I think you missed my drift--your linux box will have one default route to > the T1 (wan0) peer endpoint or ISP access router. (Yes, Greg Scott is > right when he mentions that linux supports multiple routing tables, but > you do not need them for this scenario.) > > default gateway on internal machines > - - - - - - - - - - - - - - - - - - > Each of your internal machines which is locally connected to the same > ethernet/IP network as the linux box will use the linux box as its default > gateway. Machines in the 10.140.227.224/27 network will use > 10.140.227.245 as a default gateway. Machines in 192.168.101.0/24 will > use 192.168.101.5 as a default gateway. OK, I understand this but I want the 192.168.101.0/24 machines to be able to talk to the 10.140.227.224/27 network also but only for the subnets listed below. All other traffic goes out the default route to the internet (wan0). I am trying to eliminate the 2nd pc on some desks and to do that the machines on the 192.168.* net must be able to talk to the 10.* net. > > : In addition I only want traffic for 8 the following specific subnets > : routed down the 10.140.x.x pipe. They are 10.140.0.0/16, 10.141.0.0/16, > : 10.142.0.0/16, 151.193.141.0/24, 162.92.160.0/24. All other traffic > : should go out to the internet via wan0. > : Does this make sense? > > Sure....seems clear to me. You have a couple of internal networks > behind a router on the locally connected 10.140.227.245/27 network. > So, assuming that 10.140.227.254 is the gateway to your remote > networks*: > > # route add -net 10.140.0.0 netmask 255.255.0.0 gw 10.140.227.254 > # route add -net 10.141.0.0 netmask 255.255.0.0 gw 10.140.227.254 > # route add -net 10.142.0.0 netmask 255.255.0.0 gw 10.140.227.254 > # route add -net 151.193.141.0 netmask 255.255.255.0 gw 10.140.227.254 > # route add -net 162.92.160.0 netmask 255.255.255.0 gw 10.140.227.254 > > And repeat as necessary up to your eight subnets. > > Really though, there's nothing LARTC about this setup--sure you are using > Sangoma's (wonderful) T1 card, but you don't need any of the fancy routing > tricks and tips usually discussed in this forum. I really love the wanpipe cards. We bought and deployed almost a dozen of them. As far as the fancy tricks discussed here I think I really do need them but I am just not good at explaining what I am trying to do. Sorry. :-( > > * If I recall correctly, you are using RedHat...you can append the > following lines to your /etc/sysconfig/static-routes file to have these > routes added at network restart (boot): > > eth0 net 10.141.0.0 netmask 255.255.0.0 gw 10.140.227.254 > eth0 net 10.142.0.0 netmask 255.255.0.0 gw 10.140.227.254 > eth0 net 151.193.141.0 netmask 255.255.255.0 gw 10.140.227.254 > eth0 net 162.92.160.0 netmask 255.255.255.0 gw 10.140.227.254 > > Of course, you should use the correct ethernet interface..... Understood. Thanks for the help everyone. I am not ready to give up yet. Your patience is appreciated. -- .............Tom "Nothing would please me more than being able to tdiehl@rogueind.com hire ten programmers and deluge the hobby market with good software." -- Bill Gates 1976 We are still waiting .... _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/